New Printers Vulnerable To Old Languages

When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses.

35 year old bugs features

The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:

• Capture print jobs of other users if they used PostScript as a printer driver; This is done by first infecting the device with PostScript code
• Manipulate printouts of other users (overlay graphics, introduce misspellings, etc.) by infecting the device with PostScript malware
• List, read from and write to files on the printers file system with PostScript as well as PJL functions; limited to certain directories
• Recover passwords for PostScript and PJL credentials; This is not an attack per se but the implementation makes brute-force rather easy
• Launch denial of Service attacks of various kinds:
  • PostScript based infinite loops
  • PostScript showpage redefinition
  • Disable jobmedia with proprietary PJL
  • Set the device to offline mode with PJL

Now exploitable from the web

All attacks can be carried out by anyone who can print, which includes:

• Web attacker:
  • A malicious website that uses XSP
• Network access:
  • Via Jetdirect (port 9100/tcp)
  • Via LPD (port 515/tcp)
  • Via IPP (port 631/tcp)
• Wireless access:
  • Apple Air Print (enabled by default)
• Cloud access:
  • Google Cloud Print (disabled by default)
• Physical access:
  • Printing via USB cable or USB drive
  • Potentially NFC printing (haven't tested)

Note that the product was tested in the default configuration. To be fair, one has to say that the HP PageWide Color Flow MFP 586 allows strong, Kerberos based user authentication. The permission to print, and therefore to attack the device, can be be limited to certain employees, if configured correctly. The attacks can be easily reproduced using our PRET software. We informed HP's Software Security Response Team (SSRT) in February.

Conclusion: Christian Slater is right

PostScript and PJL based security weaknesses have been present in laser printers for decades. Both languages make no clear distinction between page description and printer control functionality. Using the very same channel for data (to be printed) and code (to control the device) makes printers insecure by design. Manufacturers however are hard to blame. When the languages were invented, printers used to be connected to a computer's parallel or serial port. No one probably thought about taking over a printer from the web (actually the WWW did not even exist, when PostScript was invented back in 1982). So, what to do? Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers. As long as we have legacy languages, we need workarounds to mitigate the risks. Otherwise, "The Wolf" like scenarios can get very real in your office…

Related posts

1. World No 1 Hacker Software
2. Hack Tools For Windows
3. Pentest Tools Bluekeep
4. Github Hacking Tools
5. Hacking Tools For Windows 7
6. Pentest Tools Bluekeep
7. Pentest Tools Open Source
8. Hak5 Tools
9. Hack Tools 2019
10. Pentest Tools For Mac
11. Hacking Tools Kit
12. Hack Tools Online
13. Pentest Tools Linux
14. Pentest Tools Subdomain
15. What Are Hacking Tools
16. Pentest Tools For Ubuntu
17. Best Hacking Tools 2020
18. Install Pentest Tools Ubuntu
19. Pentest Tools Android
20. Nsa Hacker Tools
21. Pentest Tools Url Fuzzer
22. Bluetooth Hacking Tools Kali
23. Nsa Hack Tools
24. Hacker Tools For Pc
25. Hacking Tools Usb
26. Black Hat Hacker Tools
27. Kik Hack Tools
28. Pentest Tools Framework
29. Pentest Tools Open Source
30. Pentest Tools Framework
31. Hak5 Tools
32. Hacker Search Tools
33. Hacking Tools For Kali Linux
34. Nsa Hacker Tools
35. Pentest Automation Tools
36. What Are Hacking Tools
37. Pentest Tools For Mac
38. Pentest Tools Download
39. Hacker Tools 2019
40. Hacking Tools Github
41. Top Pentest Tools
42. Hacker Tools For Pc
43. Tools 4 Hack
44. Hacker Tools 2019
45. Hacker
46. Hack Tools
47. Hacker Tools Online
48. Hack Apps
49. Hacking Tools For Beginners
50. Best Pentesting Tools 2018
51. How To Install Pentest Tools In Ubuntu
52. Hacking Tools For Mac
53. Hack Tools For Mac
54. Hacker Tools 2020
55. Tools 4 Hack
56. Pentest Tools
57. How To Make Hacking Tools
58. Hacking Tools And Software
59. Hacker Tools Apk Download
60. Install Pentest Tools Ubuntu
61. Pentest Tools Port Scanner
62. Hack Tools Pc
63. Bluetooth Hacking Tools Kali
64. Hacking Tools Pc
65. Hack Tools Online
66. Computer Hacker
67. Hacking Tools For Beginners
68. Hack Tools For Windows
69. Pentest Tools For Windows
70. Hacker Tools Apk
71. Pentest Tools Url Fuzzer
72. Easy Hack Tools
73. Install Pentest Tools Ubuntu
74. Hack Tools Github
75. Game Hacking
76. Blackhat Hacker Tools
77. Hacking Tools For Windows Free Download
78. Hack Tool Apk No Root
79. Hacking Tools Github